[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the
Re: [Qemu-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much
Fri, 14 Dec 2018 11:50:16 +0000
On Mon, 26 Nov 2018 at 15:03, Anthony PERARD <address@hidden> wrote:
> On Mon, Nov 19, 2018 at 04:26:58PM +0000, Peter Maydell wrote:
> > Coverity (CID 796599) points out that xen_pt_setup_vga() trusts
> > the rom->size field in the BIOS ROM from a PCI passthrough VGA
> > device, and uses it as an index into the memory which contains
> > the BIOS image. A corrupt BIOS ROM could therefore cause us to
> > index off the end of the buffer.
> > Check that the size is within bounds before we use it.
> > We are also trusting the pcioffset field, and assuming that
> > the whole rom_header is present; Coverity doesn't notice these,
> > but check them too.
> > Signed-off-by: Peter Maydell <address@hidden>
> > ---
> > Disclaimer: compile tested only, as I don't have a Xen setup,
> > let alone one with pass-through PCI graphics.
> > Note that https://xenbits.xen.org/xsa/advisory-124.html
> > defines that bugs which are only exploitable by a malicious
> > piece of hardware that is passed through to the guest are
> > not security vulnerabilities as far as the Xen Project is
> > concerned, and are treated like normal non-security-related bugs.
> > So this is just a bugfix, not a security issue.
> > Marked "for-3.1" because it would let us squash another Coverity
> > issue, and it is a bug fix; on the other hand it's an obscure
> > corner case and has been this way since forever.
> I haven't tested that patch either, but the changes looks fine, so:
> Acked-by: Anthony PERARD <address@hidden>
Ping! Would the Xen folks like to test this and/or send it in
via a xen pullreq now that 4.0 has reopened for development?
Alternatively I can put it in via a pullreq I'm currently
doing in its current "not tested but looks fine" state :-)
- Re: [Qemu-devel] [PATCH for-3.1] hw/xen/xen_pt_graphics: Don't trust the BIOS ROM contents so much,
Peter Maydell <=